Wiz researcher Sagi Tzadik joins us to break down how a single semicolon led to a critical Remote Code Execution (RCE) vulnerability in GitHub.

For two years, Sagi sat on a lead. Reverse engineering GitHub's microservices manually was too tedious to justify the time. Then, AI agents arrived. By hooking Claude directly into his reverse engineering software, he condensed months of grueling binary analysis into 48 hours. The result? A critical bug in how GitHub handles git push options that exposed both SaaS and Enterprise environments. We get into the weeds on how different microservices interpreting the same input differently creates massive attack surfaces, and why security by obscurity is officially dead in the age of AI.

What's Inside:
- How combining Claude with the IDA MCP server dramatically sped up the reverse engineering process
- The technical anatomy of the GitHub semicolon vulnerability.
- Why microservice communication breakdowns lead to critical RCEs.
- The massive difference in impact between GitHub.com and GitHub Enterprise Server.
- Why Enterprise users need to patch their instances immediately.

Resources:
- Learn more about the findings at: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 

Hacking GitHub with a Semicolon & Claude with Sagi Tzadik

Igor Andriushchenko joins Crying Out Cloud to explain how vibe coding changes the role of security engineers. The shift from typing lines of code to shaping entire systems means security teams need new strategies. Developers expect their shipping velocity to increase tenfold with AI assistance. Relying on traditional hard deployment blocks will only cause friction. If you want to understand how to build secure guardrails for AI development without destroying developer momentum, this conversation covers the exact mechanics.

What's Inside:
* The evolution of the Stockholm tech scene and human ambition driven by AI.
* How Lovable empowers non-developers to build disposable and deeply specific software.
* The concept of "soft guardrails" and why hard blocks fail in AI-assisted workflows.
* Future capabilities of AI pen testing using hundreds of autonomous agents.
* The shared responsibility model when business users build internal applications.



Protecting Vibe Coded Apps and the Shift to "Soft Guardrails" with Igor Andriushchenko

Agentic AI is coming. Are defenders ready?

**Alon Schindel**, Director of Data & Threat Research at Wiz, joins **Eden** and **Amitai** for the **Season 3 Finale**. This isn't just a recap. It is a look at how top-tier research teams operate at speed. Alon explains why Wiz treats research as a "product" rather than a support function. He details the **"DeepLeak"** discovery where his team found thousands of exposed API keys mere hours after a platform's popularity spiked.

**What's Inside:**
* Agentic AI: Why 2026 will be the year AI starts taking action, not just chatting.
* Speed as a Weapon: How to shorten the time between a zero-day and a detection.
* Culture: The power of the "Table" and collaborative chaos.
* Retrospective: Lessons from IngressNightmare and the year in vulnerabilities.

Neuroscience, AI Research & Hiring Swifties with Alon Schindel

Join our lively hosts, Eden and Amitai, as they explore the most fascinating cloud security news of the month.
On this episode:

🧃🔗 More juice on 3CX supply chain attack
✂️💔 PaperCut vulnerabilities
📦🔓 Capita exposed a bucket with sensitive data for 7 years
🚗☁️ Toyota cloud misconfiguration leaked customer data for 10 years
🚢🔄 Trend of hijacking containers for traffic routing

#4 - Daisy Chain: A Double Supply Chain Attack

Resources

More episodes

Hacking GitHub with a Semicolon & Claude with Sagi Tzadik

Protecting Vibe Coded Apps and the Shift to "Soft Guardrails" with Igor Andriushchenko

Neuroscience, AI Research & Hiring Swifties with Alon Schindel

Crying Out Cloud Newsletter